What are Apps?

Over the last few years, desktops became laptops.  Laptops gave way to Notebooks. Notebooks became Ultra Books and the trend is moving towards Tablets and Smartphones.

As a result of this, web applications are paving the way for Apps.

Reasons for “Apps” development

  • No custom code execution on server side. It avoids application / server outages.
  • Custom code will be executed in Client-Browser, or IIS or Windows Azure, which are completely out of SharePoint’s scope.
  • The Server Object Model (SOM) code is replaced by Rest Services Client Side Object Model (CSOM) using which apps can communicate with a server. Authentication is done by OAuth.
  • Installation/updation /uninstallation of apps can be done without affecting the SharePoint site.
  • Better usability in mobile and tablets devices.
  • Takes SharePoint to the next level in terms of usability, deployment, development and hosting (Cloud).
  • Finally, everything in SharePoint 2013 is an App.

Types of Apps for SharePoint


  • Complete client-side code
  • Deployed to SharePoint On-premises, SharePoint online or in Office 365


  • Deployed to a different on-premises server (not SharePoint) or the cloud


  • Automatically provisions resources to SQL Azure and Windows Azure

Diagram of a possible Hybrid approach with some components in SharePoint and others residing in the Cloud:


SharePoint-hosted Apps:

  • App components hosted in isolated app domain
  • No server-side code – can use HTML, JavaScript and CSS

Provider-hosted Apps:

  • App components can be hosted anywhere ( on-premises or Cloud )
  • Authorized using JavaScript cross-domain library or OAuth
  • IncludesWindows Azure Web Sites
  • Can use ANY implementation language (ASP.NET, PHP, etc.)

Auto-hosted Apps:

  • App components are hosted in SQL Azure and Windows Azure
  • Automatically provisioned when app is installed
  • Authorized using the JavaScript cross-domain library or OAuth
  • Only available in SharePoint Online
  • Infrastructure is in preview status
  • Production use not recommended
  • Office Store not yet accepted

Host Web and App/Remote Web:

  • Each app is deployed to a SharePoint site known as the host web
  • Each app installation has its own unique URL
  • App web provisioned with app installation
    • https://[app prefix][app hash].[app domain]/[relative site URL]/[app name]
    • Required for Share Point hosted apps, optional for cloud-hosted apps
  • Cloud-hosted apps have a remote web
    • In Office 365, the remote web for Auto hosted apps is under 365apps.net
    • Name reminds us that this web doesn’t live on the SharePoint server

App Development Tools:

  • Office development tools for Visual Studio 2012/2013
  • “Napa” Office 365 development tools
  • Browser-based development environment (SharePoint-hosted apps only)

Office Development Tools for Visual Studio:



  • NET web application projects include classes to handle app AuthZ and AuthN (using OAuth)
  • SharePointContext.cs
    • Functions to manage SharePoint context across page requests
    • Can create app contexts and/or user for app and/or host webs
  • TokenHelper.cs
    • Functions to create and obtain AccessToken and ContextToken objects
  • On other platforms, you have to do the OAuth implementation and manage tokens yourself
  • Convert existing web application project to an App for SharePoint project

Accessing SharePoint data remotely:

  • JavaScript client object model (JSOM)
  • .NET Managed client object model (CSOM)
  • REST endpoints with OData

App authentication/authorization:

  • We can’t interact with data stored in SharePoint unless we (our apps) are authenticated to SharePoint and authorized to access data
    • Authentication: Are you who you say you are?
    • Authorization: Do you have permission to do what you are trying to do?
  • How can cloud-hosted apps for Share Point securely access data from the remote web?
    • Firewalls could be between servers
    • Code and script could be running on different domains
    • The external web server might not even be running Windows!

App authorization policy types:

  • User-only
    • Only the user identity is considered (non-app interactions with Share Point)
  • App + User
    • “Access denied” if one and/or the other lacks permissions
    • Both the app identity and the user identity are considered
  • App-only
    • Only the app identity is considered
    • Only supported for server-side code in cloud-hosted apps
    • Can’t be used with certain APIs (e.g., Search, Project Server)
    • Allows for elevation above current user’s permissions (or when there is no current user)

App permissions:

  • Trust must be explicitly granted by the user installing the app (nothing or all)
  • User installing the app must also have all permissions the app is requesting

Deploying provider-hosted apps:

  • To use OAuth, you must register an app principal
    • Automatically handled for Auto-hosted apps and <F5> local host deployments
    • Requires a visit to /_layouts/15/AppRegNew.aspx for provider-hosted apps
  • Update <appSettings> values in web.config file
    <add key=”ClientId” value=”xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx” />
    <add key=”ClientSecret” value=”xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=” />
  • Deploy/publish your remote web project
  • Set full URL for Start page in AppManifest.xml
  • Right-click and “Publish…” the app project
  • Click Package the app to generate .app file
  • Deploy the .app file to your app catalog
  • Click the link to launch the app
  • Grant permissions the app requests


  • Rajesh Kumar VSNK works as Module Lead with Trigent Software. With 10+ years of experience in building and designing internet/intranet based systems, Rajesh has considerable (over 7 years) experience in SharePoint Technology – SP 2013, SP 2010 and MOSS 2007. He also has experience working on migration projects from MOSS 2007 to SP 2010 and MOSS 2007 to SP2013.

Related Posts